September 7, 2016 By Laurène Hummer 4 min read

In May 2016, the National Institute of Standards and Technology (NIST) published a guideline recommending the depreciation of SMS authentication as a second factor for strong authentication.

Many news outlets and security blogs have discussed the issue since then, expressing vastly different takes on the matter. I decided to ask two IBM authentication experts, Dustin Hoff and Ashish Malhotra, for their recommendations.

IBM Experts Weigh In on SMS Authentication

Question: Let’s level set on the basics — what is an SMS one-time password (OTP)?

Malhotra: In SMS-based two-factor authentication (2FA), a user must confirm the intended login or transaction by entering an OTP sent to their mobile phone — typically, a four- to eight-digit numerical code. This authentication method was once believed to protect against man-in-the-middle (MitM) attacks until security professionals realized that text messages can be intercepted by fraudsters just as easily.

How can a SMS OTP be compromised?

Malhotra: If a mobile phone is compromised because its user unwittingly downloaded malware onto it, a fraudster can simply command the malware to monitor text messages, including those containing OTPs, on that phone. Many phones are susceptible to Trojans like Zeus, Zitmo, Citadel and Perkele, which leverage open access to SMS on mobile phones specifically to intercept OTPs.

Many of these Trojans are targeting SMS OTPs, mobile SIM swaps, SIM clones, number porting attacks, fake caller ID and call forwarding scams operated by dishonest customer service representatives at mobile carriers. All of these exploit insecure SMS networks and erode misplaced trust in the channel.

Watch the on-Demand Webinar: Five Steps to Overcome Customer Authentication Chaos

What about for users whose phones haven’t been corrupted by malware? Is SMS OTP safe then?

Malhotra: The security of SMS authentication relies on the security of cellular networks, and with the attacks against Global System for Mobile Communications (GSM) and 3G networks, the confidentiality of text messages cannot be assured. Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission, even if the receiving device wasn’t infected by malware.

In addition, SMS messages are stored as plaintext by the short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.

How are companies reacting to these threats?

Hoff: Despite these security issues, using SMS OTP as a second factor is still better than simply relying on the username/password combo. For this reason, most companies haven’t urgently migrated to other authentication methods.

However, I would expect this migration to take place over time. As smart devices become more and more ubiquitous, myriad new authentication methods will become available. From push-to-approve to biometrics, such as fingerprint scans, retina scans or even voice recognition, safer and more convenient choices will make it easy to do away with SMS OTP.

Malhotra: If we look at companies worldwide, we see that different geographies are at different stages of the authentication journey. South Africa was one of the first markets to move wholesale to SMS OTPs. Today, a large majority of banks there have dropped them in favor of safer, more convenient out-of-band authentication solutions centered on the mobile phone. European banks are fast dropping the technology, too. The technology is still very prevalent in North America, though we see that changing little by little.

Many banks, apps and other consumer-facing services use SMS OTP as a second factor. What’s a private consumer to do?

Hoff: As an end user of secure online services, you can immediately take a few steps to help protect yourself.

To start, you should ensure that you follow strong password guidelines and enable two-factor authentication on all services that support it, including Google, Apple and many others. While this sounds easy, you would be surprised to find how many people don’t take this seemingly simple step.

Next, check to see if your service provider offers alternatives to SMS authentication that you can start using today. For example, many services use a solution like the Google Authenticator that relies on open standards for secure OTPs. Other providers, such as Apple, have more recently started offering OTPs via push notification in order to bypass SMS delivery. There are also multiple vendors that sell relatively low-cost, standards-based, bring-your-own-authenticator hardware tokens, which can provide extra security for a variety of online services.

Finally, regardless of your chosen multifactor authentication method, ensure that you follow good mobile security practices.

What about enterprise use cases? What’s the right authentication strategy for employees, partners, contractors or even customers?

Hoff: As service providers and enterprises, you must also consider the NIST recommendations as part of your larger IAM and online security strategy. Changes may have a large impact to your users and could require additional investment, so it is important to take a thoughtful approach.

To start, remember that SMS-based two-factor authentication is still better than traditional usernames/passwords. Billions of SMS messages are exchanged each day, and while only a fraction of these are OTPs, the system is not going away overnight.

Looking ahead, it’s a good idea to understand the risk associated with different segments of your user population. For example, high-volume users on an online marketplace might be more valuable to your service and therefore pose a greater risk to your business if they are compromised. Once you understand the risk levels associated with different user segments, you can prioritize the implementation of newer, more secure authentication mechanisms.

The third step is to investigate innovations and new technologies for authentication and web access management solutions. While there is no silver bullet, vendors continue to add new functionality in this space to help enterprises and end users alike secure their online activity.

To learn more, watch the on-demand webinar, “Five Steps to Overcome Customer Authentication Chaos.”

More from Identity & Access

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today